I've seen this before on a WordPress site, it was either the result of the owner using ftp on a windows PC that had been compromised or an ftp or ssh brute force attack.

The code is installed from a standard web server hack kit.

Annoying, lucky it was not a server I had set up..